Executive Summary

On June 4, Republican and Democratic members of the U.S. House jointly released a discussion draft of the Great American AI Act (GAAIA), and it answers one question head-on: who vouches for a company's claim that "this AI was built safely"? The draft's answer is not the company's own word, but an outside verifier that the government has licensed.

Large frontier developers with more than $500 million in annual revenue would have to undergo a regular audit by one of these licensed verifiers, called an Independent Verification Organization (IVO), every six months. Just as an accounting firm audits a public company's financial statements, an independent body examines an AI developer's risk-management practices and files a report. For companies that work on data and model quality, this shift isn't just regulatory news — it redraws the definition of the market.

It is still a discussion draft, not yet formally introduced, so its odds of passage are slim. The direction, however, is unmistakable. If AI auditing hardens into a licensed profession the way financial auditing did, then producing "verifiable evidence about data and models" becomes regulatory infrastructure.

Key Figures

Four numbers lay bare the draft's skeleton: the revenue threshold that decides who gets audited, the cadence at which audits recur, the price of breaking the rules, and the size of the agency that will enforce the regime. Together they show just how concrete the machinery is for converting a company's declaration into outside verification.

Source: DLA Piper, "Unpacking the Great American AI Act"

$500M

IVO audit threshold

Large developers above $500M annual revenue

6 months

Regular audit cadence

Semiannual, starting one year after enactment

$1M/day

Maximum penalty

Per day for refusing an audit or making false statements

$15M→$100M

CAISI budget expansion

The licensing and oversight agency

1

Who Vouches for the Claim "We Built This AI Safely"?

Until now, AI safety has rested largely on a developer's own say-so. When a company building frontier models announced that it had "assessed the risks and mitigated them enough," that announcement was effectively the guarantee. There was almost no mechanism for anyone outside to independently confirm whether the assessment was done properly.

The Great American AI Act draft released on June 4 sets out to change that. It is a 269-page bipartisan draft jointly introduced by Republican Jay Obernolte and Democrat Lori Trahan. Its core idea is to have safety claims verified from outside the company. When a firm says it is safe, a third-party body licensed by the government checks whether that is true.

What changes is a single phrase: from "we built it safely" to "an independent body confirmed it is safe." It is the same principle by which a public company's financial statements are vouched for not by the company, but by an outside auditor.

U.S. Capitol building west front — the Great American AI Act discussion draft was released here on June 4, 2026
▲ U.S. Capitol, west front. The GAAIA discussion draft was released here on June 4, 2026. | Source: Wikimedia Commons (PD)
2

What GAAIA Really Invents Is a Licensed AI Auditor

At the heart of the draft sits the Independent Verification Organization (IVO). An IVO is an outside specialist body that audits frontier AI developers, but not just anyone can become one. The director of CAISI (the Center for AI Standards and Innovation, housed under NIST) issues and oversees the licenses. Without a license, an organization is not qualified to perform an audit.

CAISI (Under NIST — issues & oversees licenses) licenses IVO (Independent Verification Org — audits once licensed) regular audit regular audit Large Frontier Developer Revenue > $500M — IVO audit required General Frontier Developer Revenue > $50M — transparency report only
▲ GAAIA's AI audit chain — original Pebblous diagram. CAISI licenses IVOs; IVOs conduct regular audits of large frontier developers.

2.1Who Gets Audited

The draft splits the regulated population into two tiers. A general frontier developer — one that develops frontier models and earns at least $50 million in annual revenue — must publish a transparency report and report critical safety incidents. On top of that, a large frontier developer with more than $500 million in annual revenue picks up the IVO audit obligation. These are companies on the order of OpenAI, Anthropic, Google DeepMind, and Meta AI. Smaller startups are explicitly left out.

The definition of a frontier model is just as precise: one trained on broad datasets, designed for general-purpose output, and using more than 10²⁶ operations of compute. In practice, the threshold targets today's largest models at the leading edge.

2.2How the Audit Works

Audits begin one year after the law takes effect and recur every six months thereafter. If a critical incident occurs or a model is substantially modified, the CAISI director may also request an interim audit. A developer under audit must give the IVO access to all reasonably necessary information — unredacted materials, records, personnel, and systems.

What the IVO checks is whether the developer's frontier AI framework, governance policies, risk monitoring, and mitigation strategies actually keep catastrophic risk within tolerable bounds. When the audit is finished, the IVO files a report with the CAISI director. If it finds a violation, it must notify the Attorney General and state attorneys general; an imminent catastrophic risk must be reported immediately. Refusing an audit or making a material false statement carries a penalty of up to $1 million per day of violation.

The authority to run all of this grows in step. CAISI's budget, currently around $15 million, would expand to $100 million a year ($300 million total authorized for FY2027–2029), and the agency would gain special authority to hire technical experts above standard government pay caps. As Representative Trahan put it, the design aims to make "CAISI a credible federal counterpart to the frontier labs."

3

Why This Structure Looks Like a Financial Audit

The IVO structure looks unfamiliar at first, but it grows familiar the moment you think of finance. A public company does not vouch for its own financial statements. A state-recognized certified public accountant audits them independently, and those auditors are in turn registered and overseen by a higher body. GAAIA transplants this familiar model onto AI almost intact.

3.1Mapping It to the Financial-Audit Structure

Set the roles side by side and the correspondence is sharp.

Financial audit GAAIA's AI audit Role
PCAOB CAISI Licenses and oversees auditors
CPA / audit firm IVO Performs regular audits once licensed
Financial statements Frontier AI framework The document being audited
SEC-mandated disclosure Transparency report Verified result made public

The crux is independence. Financial audits are trusted because the auditor is not an employee on the company's payroll but a licensed expert from outside. GAAIA is after the same thing: ending the era of self-declaration and making safety carry an outside signature.

4

What Gets Audited — Data and Models Become the Evidence

This is where companies working on data and model quality should pay attention. For an IVO to verify whether "this developer mitigated the risks sufficiently," it has to look at evidence, not words. And that evidence is precisely the record of the data and the models.

Under the draft, an IVO must verify a developer's risk-mitigation framework, governance policies, and risk-monitoring system. To actually confirm any of this, it has no choice but to examine the following.

  • Documentation of training-data provenance and quality — data lineage and bias-testing records
  • Model evaluation records — benchmark results and red-team reports
  • Pre-deployment risk-assessment documents — the history of which risks were measured and how they were reduced
Training Data provenance & quality docs Model Training eval & red-team records Risk Assessment mitigation history IVO Audit "Is there evidence?" Untraceable → audit fails traceable record → verifiable record → auditable evidence →
▲ How data and models become audit evidence — original Pebblous diagram. Untraceable records make an IVO audit impossible.

In other words, the ability to produce "auditable evidence about data and models" becomes the core infrastructure of compliance. Unless you keep a traceable record of where the data came from and how it was verified, and of which risks the model cleared, the audit cannot even get off the ground.

Right now, the set of organizations able to play the IVO role is essentially empty. The job calls for a specialist body that understands the technical character of AI models and can verify them independently — and that capability overlaps exactly with what companies handling data auditing, model evaluation, and standards-based documentation (ISO 42001, NIST AI RMF) have been building. Just as the conformity assessment bodies of the EU AI Act did, this seat is a new market opened by law.

5

The Bill's Reality — Still a Long Way to Go

Soberly assessed, GAAIA is still only a discussion draft. It has not even been formally introduced. The opposition is formidable. Groups such as Americans for Responsible Innovation and the Alliance for Secure AI are running ad campaigns against the clause that would preempt state law for three years. House Democrats, heading into the midterms, are likely to push back hard rather than hand Republicans a win, and Republican leadership is skeptical too.

The fight over preemption is ongoing. The draft would preempt, for three years (roughly through the end of 2029), state laws that specifically regulate the development stage of frontier models. General laws — post-deployment regulation, consumer protection, privacy, and anti-discrimination — are left intact. Its partial collisions with state laws like California's SB 53, New York's RAISE Act, and Illinois's SB 315 only complicate the bill's political fate further.

Even so, the direction converges on one point. The EU AI Act already demands training-data governance, the NIST AI RMF has become a U.S. federal procurement standard, and ISO 42001 is emerging as a verification benchmark for enterprise procurement. Onto this, GAAIA would layer a federal licensed audit. Even if this particular draft never becomes law, the movement to turn AI auditing into a licensed profession has already begun.

Licensed AI Audit verifiable data & model evidence EU AI Act training-data governance NIST AI RMF federal procurement standard ISO 42001 enterprise verification benchmark GAAIA (draft) federal licensed audit (IVO)
▲ Four regulatory frameworks converging on licensed AI audit — original Pebblous diagram. Each framework approaches the same conclusion from a different direction.

What matters more than whether any single bill passes is that the question has shifted. The ask is no longer "Is the AI safe?" but "Who confirms it, on what evidence, and against which standard?" The moment that producing and verifying that evidence becomes regulatory infrastructure, data and model quality stop being a byproduct of development and become the language of regulation.

R

References

Official documents

Legal and policy analysis

Industry and press